diff --git a/README.md b/README.md
index eabf1cd..66e5670 100644
--- a/README.md
+++ b/README.md
@@ -77,7 +77,13 @@ C’est un VPS `V-R8 4 CPUs · 8 GB RAM`.
C’est une Ubuntu 18.04 (c’est imposé par BBB).
-Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB.
+Elle n’est **pas** gérée par Ansible, c’est un peu particulier BBB,
+mais le serveur `turn` l'est, et le playbook `turn.yml` configure
+quand même un fichier sur BBB.
+
+D'ailleurs pour tester la configurtion turn/stun:
+
+https://docs.bigbluebutton.org/administration/turn-server#test-your-turn-server
J’y ai appliqué un poil de ssh-hardening :
@@ -151,53 +157,6 @@ Il faut configurer le `.env` tel que:
Puis vérifier qu’exim et le firewall (attention c’est peut-être `ufw`)
les acceptent.
-
-### Configuration TURN/STUN
-
-L’installation de BBB n’étant pas gérée par Ansible, pour le moment la
-conf TURN/STUN est faite à la main, c’est la seule chose à faire, elle
-ressemble à :
-
-```xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
-
-dans `/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml`.
-
-
## backup1.afpy.org
♥ Machine sponsorisée par Gandi ♥
diff --git a/inventory b/inventory
index 9925fb7..af7b518 100644
--- a/inventory
+++ b/inventory
@@ -22,6 +22,9 @@ turn1.afpy.org
[dl]
deb2.afpy.org
+[bbb]
+bbb2.afpy.org
+
[rsnapshotted]
deb2.afpy.org
bbb2.afpy.org
diff --git a/turn.yml b/turn.yml
index 67f7167..070c85f 100644
--- a/turn.yml
+++ b/turn.yml
@@ -48,20 +48,64 @@
blockinfile:
path: /etc/turnserver.conf
block: |
+ listening-port=3478
+ tls-listening-port=443
+
+ listening-ip={{ansible_default_ipv4.address}}
+ relay-ip={{ansible_default_ipv4.address}}
+
+ min-port=32769
+ max-port=65535
+ verbose
+
fingerprint
+ lt-cred-mech
use-auth-secret
static-auth-secret={{turnserver_secret}}
+
realm=afpy.org
+
cert=/etc/turnserver/fullchain.pem
pkey=/etc/turnserver/privkey.pem
# From https://ssl-config.mozilla.org/ Intermediate, openssl 1.1.0g, 2020-01
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
dh-file=/etc/turnserver/dhp.pem
+
+ keep-address-family
+
no-cli
no-tlsv1
no-tlsv1_1
+
+ # Block connections to IP ranges which shouldn't be reachable
no-loopback-peers
no-multicast-peers
+
+ # Private (LAN) addresses
+ # If you are running BigBlueButton within a LAN, you might need to add an "allow" rule for your address range.
+ # IPv4 Private-Use
+ denied-peer-ip=10.0.0.0-10.255.255.255
+ denied-peer-ip=172.16.0.0-172.31.255.255
+ denied-peer-ip=192.168.0.0-192.168.255.255
+ # Other IPv4 Special-Purpose addresses
+ denied-peer-ip=100.64.0.0-100.127.255.255
+ denied-peer-ip=169.254.0.0-169.254.255.255
+ denied-peer-ip=192.0.0.0-192.0.0.255
+ denied-peer-ip=192.0.2.0-192.0.2.255
+ denied-peer-ip=198.18.0.0-198.19.255.255
+ denied-peer-ip=198.51.100.0-198.51.100.255
+ denied-peer-ip=203.0.113.0-203.0.113.255
+ # IPv6 Unique-Local
+ denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ # IPv6 Link-Local Unicast
+ denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ # Other IPv6 Special-Purpose assignments
+ denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
+ denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+ denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
+ denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
notify: restart coturn
- name: Create dph.pem file directory
@@ -97,3 +141,70 @@
name: coturn
state: restarted
daemon_reload: true
+
+- hosts: bbb
+ tasks:
+ - name: configure turn host
+ notify: restart bbb
+ copy:
+ dest: /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
+ owner: root
+ group: root
+ mode: 0644
+ content: |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ handlers:
+ - name: restart bbb
+ command: bbb-conf --restart